Warning issued over 'Backoff' point-of-sale malware

The US Computer Emergency Response Team (US-CERT) has warned of new and potentially dangerous malware that is believed to have already infected some 600 retail businesses.

Known as Backoff, it first appeared in October 2013 and comes in at least three main variants. It can log keystrokes, scrape point-of-sale device memory for credit and debit card data and can send this data back to other nodes in a wider botnet. Finally, it injects a "malicious stub" into the Windows explorer.exe file.

It continues: "Keylogging functionality is also present in most recent variants of 'Backoff'. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware."

Furthermore, the Backoff malware family is largely undetected in current anti-virus software, although signatures will be introduced soon. "Information security professionals recommend a defence in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature," states the advisory.

It also provides a precis of the retail system security strategies to minimise the risk of compromise:

Remote desktop access

Configure the account lock-out settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorised attempts to login, either from an unauthorised user or via automated attack types like brute force;

Limit the number of users and workstation who can log in using Remote Desktop;

Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389);

Change the default Remote Desktop listening port;

Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur;

Require two-factor authentication (2FA) for remote desktop access;

Install a Remote Desktop Gateway to restrict access;

Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL;

Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks;

Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses;

Perform a binary or checksum comparison to ensure unauthorised files are not installed;

Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation;

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop.
Will your business be upgrading?

Popular Threads

There is a lot of attention being paid to how business leaders can use the mobile computing preferences of employees and customers to be more responsive, efficient and successful. This white paper runs through five security considerations for the mobile age.